2024-09-22 00:29:36 +09:00
|
|
|
package app
|
|
|
|
|
|
|
|
|
|
import (
|
2025-01-21 12:10:58 +09:00
|
|
|
"bytes"
|
|
|
|
|
"encoding/gob"
|
2024-09-22 00:29:36 +09:00
|
|
|
"errors"
|
2024-11-16 21:19:45 +09:00
|
|
|
"fmt"
|
2025-01-21 12:10:58 +09:00
|
|
|
"io"
|
2024-10-23 21:46:21 +09:00
|
|
|
"io/fs"
|
2025-02-19 01:36:07 +09:00
|
|
|
"os"
|
2024-10-11 04:18:15 +09:00
|
|
|
"path"
|
2024-11-19 21:01:41 +09:00
|
|
|
"regexp"
|
2025-02-19 13:41:06 +09:00
|
|
|
"strings"
|
2024-09-22 00:29:36 +09:00
|
|
|
|
2024-12-28 13:23:27 +09:00
|
|
|
"git.gensokyo.uk/security/fortify/acl"
|
2024-12-20 00:20:02 +09:00
|
|
|
"git.gensokyo.uk/security/fortify/dbus"
|
|
|
|
|
"git.gensokyo.uk/security/fortify/fst"
|
2025-01-22 01:51:10 +09:00
|
|
|
"git.gensokyo.uk/security/fortify/helper/bwrap"
|
2025-02-14 12:44:55 +09:00
|
|
|
"git.gensokyo.uk/security/fortify/internal"
|
2024-12-20 00:20:02 +09:00
|
|
|
"git.gensokyo.uk/security/fortify/internal/fmsg"
|
|
|
|
|
"git.gensokyo.uk/security/fortify/internal/state"
|
2025-02-19 12:33:51 +09:00
|
|
|
"git.gensokyo.uk/security/fortify/internal/sys"
|
2025-02-17 19:00:43 +09:00
|
|
|
"git.gensokyo.uk/security/fortify/system"
|
2025-02-19 13:41:06 +09:00
|
|
|
"git.gensokyo.uk/security/fortify/wl"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
home = "HOME"
|
|
|
|
|
shell = "SHELL"
|
|
|
|
|
|
|
|
|
|
xdgConfigHome = "XDG_CONFIG_HOME"
|
|
|
|
|
xdgRuntimeDir = "XDG_RUNTIME_DIR"
|
|
|
|
|
xdgSessionClass = "XDG_SESSION_CLASS"
|
|
|
|
|
xdgSessionType = "XDG_SESSION_TYPE"
|
|
|
|
|
|
|
|
|
|
term = "TERM"
|
|
|
|
|
display = "DISPLAY"
|
|
|
|
|
|
|
|
|
|
pulseServer = "PULSE_SERVER"
|
|
|
|
|
pulseCookie = "PULSE_COOKIE"
|
|
|
|
|
|
|
|
|
|
dbusSessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
|
|
|
|
|
dbusSystemBusAddress = "DBUS_SYSTEM_BUS_ADDRESS"
|
2024-09-22 00:29:36 +09:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
ErrConfig = errors.New("no configuration to seal")
|
2024-11-16 21:19:45 +09:00
|
|
|
ErrUser = errors.New("invalid aid")
|
|
|
|
|
ErrHome = errors.New("invalid home directory")
|
2024-11-19 21:01:41 +09:00
|
|
|
ErrName = errors.New("invalid username")
|
2025-02-19 13:41:06 +09:00
|
|
|
|
|
|
|
|
ErrXDisplay = errors.New(display + " unset")
|
|
|
|
|
|
|
|
|
|
ErrPulseCookie = errors.New("pulse cookie not present")
|
|
|
|
|
ErrPulseSocket = errors.New("pulse socket not present")
|
|
|
|
|
ErrPulseMode = errors.New("unexpected pulse socket mode")
|
2024-09-22 00:29:36 +09:00
|
|
|
)
|
|
|
|
|
|
2024-11-19 21:01:41 +09:00
|
|
|
var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z0-9_-]{0,30}\\$)$")
|
|
|
|
|
|
2025-02-19 01:04:14 +09:00
|
|
|
// appSeal stores copies of various parts of [fst.Config]
|
2024-10-20 22:54:47 +09:00
|
|
|
type appSeal struct {
|
2025-02-19 13:41:06 +09:00
|
|
|
// passed through from [fst.Config]
|
2024-10-20 22:54:47 +09:00
|
|
|
command []string
|
2025-02-19 01:36:07 +09:00
|
|
|
|
|
|
|
|
// state instance initialised during seal; used during process lifecycle events
|
2024-10-20 22:54:47 +09:00
|
|
|
store state.Store
|
2025-02-19 13:41:06 +09:00
|
|
|
// initial [fst.Config] gob stream for state data;
|
|
|
|
|
// this is prepared ahead of time as config is mutated during seal creation
|
|
|
|
|
ct io.WriterTo
|
|
|
|
|
// dump dbus proxy message buffer
|
|
|
|
|
dbusMsg func()
|
2025-02-19 01:36:07 +09:00
|
|
|
// whether [system.I] was committed; used during process lifecycle events
|
|
|
|
|
needRevert bool
|
|
|
|
|
// whether state was inserted into [state.Store]; used during process lifecycle events
|
|
|
|
|
stateInStore bool
|
2024-10-20 22:54:47 +09:00
|
|
|
|
2025-02-19 13:41:06 +09:00
|
|
|
user appUser
|
2025-02-19 01:36:07 +09:00
|
|
|
sys *system.I
|
|
|
|
|
container *bwrap.Config
|
|
|
|
|
bwrapSync *os.File
|
|
|
|
|
|
2024-10-20 22:54:47 +09:00
|
|
|
// protected by upstream mutex
|
|
|
|
|
}
|
|
|
|
|
|
2025-02-19 01:36:07 +09:00
|
|
|
// appUser stores post-fsu credentials and metadata
|
|
|
|
|
type appUser struct {
|
|
|
|
|
// application id
|
|
|
|
|
aid *stringPair[int]
|
|
|
|
|
// target uid resolved by fid:aid
|
|
|
|
|
uid *stringPair[int]
|
|
|
|
|
|
|
|
|
|
// supplementary group ids
|
|
|
|
|
supp []string
|
|
|
|
|
|
|
|
|
|
// home directory host path
|
|
|
|
|
data string
|
|
|
|
|
// app user home directory
|
|
|
|
|
home string
|
|
|
|
|
// passwd database username
|
|
|
|
|
username string
|
|
|
|
|
}
|
|
|
|
|
|
2025-02-19 12:33:51 +09:00
|
|
|
func (seal *appSeal) finalise(sys sys.State, config *fst.Config, id string) error {
|
2025-02-19 00:25:00 +09:00
|
|
|
{
|
2025-02-19 13:41:06 +09:00
|
|
|
// encode initial configuration for state tracking
|
|
|
|
|
ct := new(bytes.Buffer)
|
|
|
|
|
if err := gob.NewEncoder(ct).Encode(config); err != nil {
|
|
|
|
|
return fmsg.WrapErrorSuffix(err,
|
|
|
|
|
"cannot encode initial config:")
|
2025-02-19 00:25:00 +09:00
|
|
|
}
|
2025-02-19 13:41:06 +09:00
|
|
|
seal.ct = ct
|
2024-11-04 03:15:39 +09:00
|
|
|
}
|
|
|
|
|
|
2025-02-19 13:41:06 +09:00
|
|
|
// pass through command slice; this value is never touched in the main process
|
|
|
|
|
seal.command = config.Command
|
|
|
|
|
|
|
|
|
|
// allowed aid range 0 to 9999, this is checked again in fsu
|
2024-11-16 21:19:45 +09:00
|
|
|
if config.Confinement.AppID < 0 || config.Confinement.AppID > 9999 {
|
|
|
|
|
return fmsg.WrapError(ErrUser,
|
|
|
|
|
fmt.Sprintf("aid %d out of range", config.Confinement.AppID))
|
2024-12-28 13:23:27 +09:00
|
|
|
}
|
2025-02-19 13:41:06 +09:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Resolve post-fsu user state
|
|
|
|
|
*/
|
|
|
|
|
|
2025-02-19 01:36:07 +09:00
|
|
|
seal.user = appUser{
|
2025-02-19 00:25:00 +09:00
|
|
|
aid: newInt(config.Confinement.AppID),
|
2024-12-28 13:23:27 +09:00
|
|
|
data: config.Confinement.Outer,
|
|
|
|
|
home: config.Confinement.Inner,
|
|
|
|
|
username: config.Confinement.Username,
|
|
|
|
|
}
|
2025-02-19 01:36:07 +09:00
|
|
|
if seal.user.username == "" {
|
|
|
|
|
seal.user.username = "chronos"
|
|
|
|
|
} else if !posixUsername.MatchString(seal.user.username) ||
|
|
|
|
|
len(seal.user.username) >= internal.Sysconf_SC_LOGIN_NAME_MAX() {
|
2024-12-28 13:23:27 +09:00
|
|
|
return fmsg.WrapError(ErrName,
|
2025-02-19 01:36:07 +09:00
|
|
|
fmt.Sprintf("invalid user name %q", seal.user.username))
|
2024-12-28 13:23:27 +09:00
|
|
|
}
|
2025-02-19 01:36:07 +09:00
|
|
|
if seal.user.data == "" || !path.IsAbs(seal.user.data) {
|
2024-12-28 13:23:27 +09:00
|
|
|
return fmsg.WrapError(ErrHome,
|
2025-02-19 01:36:07 +09:00
|
|
|
fmt.Sprintf("invalid home directory %q", seal.user.data))
|
2024-12-28 13:23:27 +09:00
|
|
|
}
|
2025-02-19 01:36:07 +09:00
|
|
|
if seal.user.home == "" {
|
|
|
|
|
seal.user.home = seal.user.data
|
2024-12-28 13:23:27 +09:00
|
|
|
}
|
2025-02-19 12:33:51 +09:00
|
|
|
if u, err := sys.Uid(seal.user.aid.unwrap()); err != nil {
|
2025-02-18 17:36:58 +09:00
|
|
|
return err
|
2024-11-16 21:19:45 +09:00
|
|
|
} else {
|
2025-02-19 01:36:07 +09:00
|
|
|
seal.user.uid = newInt(u)
|
2024-12-28 13:23:27 +09:00
|
|
|
}
|
2025-02-19 01:36:07 +09:00
|
|
|
seal.user.supp = make([]string, len(config.Confinement.Groups))
|
2024-12-28 13:23:27 +09:00
|
|
|
for i, name := range config.Confinement.Groups {
|
2025-02-19 12:33:51 +09:00
|
|
|
if g, err := sys.LookupGroup(name); err != nil {
|
2024-12-28 13:23:27 +09:00
|
|
|
return fmsg.WrapError(err,
|
|
|
|
|
fmt.Sprintf("unknown group %q", name))
|
2024-09-22 00:29:36 +09:00
|
|
|
} else {
|
2025-02-19 01:36:07 +09:00
|
|
|
seal.user.supp[i] = g.Gid
|
2024-11-16 21:19:45 +09:00
|
|
|
}
|
2024-12-28 13:23:27 +09:00
|
|
|
}
|
2024-11-16 21:19:45 +09:00
|
|
|
|
2025-02-19 13:41:06 +09:00
|
|
|
/*
|
|
|
|
|
Resolve initial container state
|
|
|
|
|
*/
|
2024-10-11 04:18:15 +09:00
|
|
|
|
2025-02-19 13:41:06 +09:00
|
|
|
// permissive defaults
|
2024-10-11 04:18:15 +09:00
|
|
|
if config.Confinement.Sandbox == nil {
|
2025-02-16 17:26:09 +09:00
|
|
|
fmsg.Verbose("sandbox configuration not supplied, PROCEED WITH CAUTION")
|
2024-10-11 04:18:15 +09:00
|
|
|
|
2024-12-18 15:50:46 +09:00
|
|
|
conf := &fst.SandboxConfig{
|
2024-10-11 04:18:15 +09:00
|
|
|
UserNS: true,
|
|
|
|
|
Net: true,
|
2025-01-22 01:51:10 +09:00
|
|
|
Syscall: new(bwrap.SyscallPolicy),
|
2024-10-11 04:18:15 +09:00
|
|
|
NoNewSession: true,
|
2024-11-04 22:18:05 +09:00
|
|
|
AutoEtc: true,
|
2024-10-11 04:18:15 +09:00
|
|
|
}
|
|
|
|
|
// bind entries in /
|
2025-02-19 12:33:51 +09:00
|
|
|
if d, err := sys.ReadDir("/"); err != nil {
|
2024-10-11 04:18:15 +09:00
|
|
|
return err
|
|
|
|
|
} else {
|
2024-12-18 15:50:46 +09:00
|
|
|
b := make([]*fst.FilesystemConfig, 0, len(d))
|
2024-10-11 04:18:15 +09:00
|
|
|
for _, ent := range d {
|
2024-10-25 13:31:57 +09:00
|
|
|
p := "/" + ent.Name()
|
|
|
|
|
switch p {
|
|
|
|
|
case "/proc":
|
|
|
|
|
case "/dev":
|
|
|
|
|
case "/tmp":
|
|
|
|
|
case "/mnt":
|
|
|
|
|
case "/etc":
|
2024-11-04 22:18:05 +09:00
|
|
|
|
2024-10-11 04:18:15 +09:00
|
|
|
default:
|
2024-12-18 15:50:46 +09:00
|
|
|
b = append(b, &fst.FilesystemConfig{Src: p, Write: true, Must: true})
|
2024-10-11 04:18:15 +09:00
|
|
|
}
|
|
|
|
|
}
|
2024-10-12 22:33:04 +09:00
|
|
|
conf.Filesystem = append(conf.Filesystem, b...)
|
2024-10-11 04:18:15 +09:00
|
|
|
}
|
2025-01-15 10:07:51 +09:00
|
|
|
|
2024-10-13 02:43:00 +09:00
|
|
|
// hide nscd from sandbox if present
|
|
|
|
|
nscd := "/var/run/nscd"
|
2025-02-19 12:33:51 +09:00
|
|
|
if _, err := sys.Stat(nscd); !errors.Is(err, fs.ErrNotExist) {
|
2024-10-16 01:38:59 +09:00
|
|
|
conf.Override = append(conf.Override, nscd)
|
2024-10-13 02:43:00 +09:00
|
|
|
}
|
2024-10-12 22:55:53 +09:00
|
|
|
// bind GPU stuff
|
2024-10-16 14:38:57 +09:00
|
|
|
if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
|
2024-12-18 15:50:46 +09:00
|
|
|
conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true})
|
2024-10-12 22:55:53 +09:00
|
|
|
}
|
2024-12-22 12:37:24 +09:00
|
|
|
// opportunistically bind kvm
|
|
|
|
|
conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/kvm", Device: true})
|
2024-10-25 13:31:57 +09:00
|
|
|
|
2024-10-11 04:18:15 +09:00
|
|
|
config.Confinement.Sandbox = conf
|
|
|
|
|
}
|
2025-02-19 13:41:06 +09:00
|
|
|
|
|
|
|
|
var mapuid *stringPair[int]
|
|
|
|
|
{
|
|
|
|
|
var uid int
|
|
|
|
|
var err error
|
|
|
|
|
seal.container, err = config.Confinement.Sandbox.Bwrap(sys, &uid)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
mapuid = newInt(uid)
|
|
|
|
|
if seal.container.SetEnv == nil {
|
|
|
|
|
seal.container.SetEnv = make(map[string]string)
|
|
|
|
|
}
|
2024-10-11 04:18:15 +09:00
|
|
|
}
|
|
|
|
|
|
2025-02-19 13:41:06 +09:00
|
|
|
/*
|
|
|
|
|
Initialise externals
|
|
|
|
|
*/
|
2024-09-22 00:29:36 +09:00
|
|
|
|
2025-02-19 13:41:06 +09:00
|
|
|
sc := sys.Paths()
|
|
|
|
|
seal.store = state.NewMulti(sc.RunDirPath)
|
2025-02-19 01:36:07 +09:00
|
|
|
seal.sys = system.New(seal.user.uid.unwrap())
|
|
|
|
|
seal.sys.IsVerbose = fmsg.Load
|
|
|
|
|
seal.sys.Verbose = fmsg.Verbose
|
|
|
|
|
seal.sys.Verbosef = fmsg.Verbosef
|
|
|
|
|
seal.sys.WrapErr = fmsg.WrapError
|
2024-09-22 00:29:36 +09:00
|
|
|
|
2025-02-19 13:41:06 +09:00
|
|
|
/*
|
|
|
|
|
Work directories
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
// base fortify share path
|
|
|
|
|
seal.sys.Ensure(sc.SharePath, 0711)
|
|
|
|
|
|
|
|
|
|
// outer paths used by the main process
|
|
|
|
|
seal.sys.Ensure(sc.RunDirPath, 0700)
|
|
|
|
|
seal.sys.UpdatePermType(system.User, sc.RunDirPath, acl.Execute)
|
|
|
|
|
seal.sys.Ensure(sc.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
|
|
|
|
|
seal.sys.UpdatePermType(system.User, sc.RuntimePath, acl.Execute)
|
|
|
|
|
|
|
|
|
|
// outer process-specific share directory
|
|
|
|
|
sharePath := path.Join(sc.SharePath, id)
|
|
|
|
|
seal.sys.Ephemeral(system.Process, sharePath, 0711)
|
|
|
|
|
// similar to share but within XDG_RUNTIME_DIR
|
|
|
|
|
sharePathLocal := path.Join(sc.RunDirPath, id)
|
|
|
|
|
seal.sys.Ephemeral(system.Process, sharePathLocal, 0700)
|
|
|
|
|
seal.sys.UpdatePerm(sharePathLocal, acl.Execute)
|
|
|
|
|
|
|
|
|
|
// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as post-fsu user
|
|
|
|
|
innerRuntimeDir := path.Join("/run/user", mapuid.String())
|
|
|
|
|
seal.container.Tmpfs("/run/user", 1*1024*1024)
|
|
|
|
|
seal.container.Tmpfs(innerRuntimeDir, 8*1024*1024)
|
|
|
|
|
seal.container.SetEnv[xdgRuntimeDir] = innerRuntimeDir
|
|
|
|
|
seal.container.SetEnv[xdgSessionClass] = "user"
|
|
|
|
|
seal.container.SetEnv[xdgSessionType] = "tty"
|
|
|
|
|
|
|
|
|
|
// outer path for inner /tmp
|
|
|
|
|
{
|
|
|
|
|
tmpdir := path.Join(sc.SharePath, "tmpdir")
|
|
|
|
|
seal.sys.Ensure(tmpdir, 0700)
|
|
|
|
|
seal.sys.UpdatePermType(system.User, tmpdir, acl.Execute)
|
|
|
|
|
tmpdirProc := path.Join(tmpdir, seal.user.aid.String())
|
|
|
|
|
seal.sys.Ensure(tmpdirProc, 01700)
|
|
|
|
|
seal.sys.UpdatePermType(system.User, tmpdirProc, acl.Read, acl.Write, acl.Execute)
|
|
|
|
|
seal.container.Bind(tmpdirProc, "/tmp", false, true)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Passwd database
|
|
|
|
|
*/
|
2024-09-22 00:29:36 +09:00
|
|
|
|
2025-02-19 13:41:06 +09:00
|
|
|
// look up shell
|
|
|
|
|
sh := "/bin/sh"
|
|
|
|
|
if s, ok := sys.LookupEnv(shell); ok {
|
|
|
|
|
seal.container.SetEnv[shell] = s
|
|
|
|
|
sh = s
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// bind home directory
|
|
|
|
|
homeDir := "/var/empty"
|
|
|
|
|
if seal.user.home != "" {
|
|
|
|
|
homeDir = seal.user.home
|
|
|
|
|
}
|
|
|
|
|
username := "chronos"
|
|
|
|
|
if seal.user.username != "" {
|
|
|
|
|
username = seal.user.username
|
|
|
|
|
}
|
|
|
|
|
seal.container.Bind(seal.user.data, homeDir, false, true)
|
|
|
|
|
seal.container.Chdir = homeDir
|
|
|
|
|
seal.container.SetEnv["HOME"] = homeDir
|
|
|
|
|
seal.container.SetEnv["USER"] = username
|
|
|
|
|
|
|
|
|
|
// generate /etc/passwd and /etc/group
|
|
|
|
|
seal.container.CopyBind("/etc/passwd",
|
|
|
|
|
[]byte(username+":x:"+mapuid.String()+":"+mapuid.String()+":Fortify:"+homeDir+":"+sh+"\n"))
|
|
|
|
|
seal.container.CopyBind("/etc/group",
|
|
|
|
|
[]byte("fortify:x:"+mapuid.String()+":\n"))
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Display servers
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
// pass $TERM to launcher
|
|
|
|
|
if t, ok := sys.LookupEnv(term); ok {
|
|
|
|
|
seal.container.SetEnv[term] = t
|
2024-09-22 00:29:36 +09:00
|
|
|
}
|
|
|
|
|
|
2025-02-19 13:41:06 +09:00
|
|
|
// set up wayland
|
|
|
|
|
if config.Confinement.Enablements.Has(system.EWayland) {
|
|
|
|
|
// outer wayland socket (usually `/run/user/%d/wayland-%d`)
|
|
|
|
|
var socketPath string
|
|
|
|
|
if name, ok := sys.LookupEnv(wl.WaylandDisplay); !ok {
|
|
|
|
|
fmsg.Verbose(wl.WaylandDisplay + " is not set, assuming " + wl.FallbackName)
|
|
|
|
|
socketPath = path.Join(sc.RuntimePath, wl.FallbackName)
|
|
|
|
|
} else if !path.IsAbs(name) {
|
|
|
|
|
socketPath = path.Join(sc.RuntimePath, name)
|
|
|
|
|
} else {
|
|
|
|
|
socketPath = name
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
innerPath := path.Join(innerRuntimeDir, wl.FallbackName)
|
|
|
|
|
seal.container.SetEnv[wl.WaylandDisplay] = wl.FallbackName
|
|
|
|
|
|
|
|
|
|
if !config.Confinement.Sandbox.DirectWayland { // set up security-context-v1
|
|
|
|
|
socketDir := path.Join(sc.SharePath, "wayland")
|
|
|
|
|
outerPath := path.Join(socketDir, id)
|
|
|
|
|
seal.sys.Ensure(socketDir, 0711)
|
|
|
|
|
appID := config.ID
|
|
|
|
|
if appID == "" {
|
|
|
|
|
// use instance ID in case app id is not set
|
|
|
|
|
appID = "uk.gensokyo.fortify." + id
|
|
|
|
|
}
|
|
|
|
|
seal.sys.Wayland(&seal.bwrapSync, outerPath, socketPath, appID, id)
|
|
|
|
|
seal.container.Bind(outerPath, innerPath)
|
|
|
|
|
} else { // bind mount wayland socket (insecure)
|
|
|
|
|
fmsg.Verbose("direct wayland access, PROCEED WITH CAUTION")
|
|
|
|
|
seal.container.Bind(socketPath, innerPath)
|
|
|
|
|
seal.sys.UpdatePermType(system.EWayland, socketPath, acl.Read, acl.Write, acl.Execute)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// set up X11
|
|
|
|
|
if config.Confinement.Enablements.Has(system.EX11) {
|
|
|
|
|
// discover X11 and grant user permission via the `ChangeHosts` command
|
|
|
|
|
if d, ok := sys.LookupEnv(display); !ok {
|
|
|
|
|
return fmsg.WrapError(ErrXDisplay,
|
|
|
|
|
"DISPLAY is not set")
|
|
|
|
|
} else {
|
|
|
|
|
seal.sys.ChangeHosts("#" + seal.user.uid.String())
|
|
|
|
|
seal.container.SetEnv[display] = d
|
|
|
|
|
seal.container.Bind("/tmp/.X11-unix", "/tmp/.X11-unix")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
PulseAudio server and authentication
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
if config.Confinement.Enablements.Has(system.EPulse) {
|
|
|
|
|
// PulseAudio runtime directory (usually `/run/user/%d/pulse`)
|
|
|
|
|
pulseRuntimeDir := path.Join(sc.RuntimePath, "pulse")
|
|
|
|
|
// PulseAudio socket (usually `/run/user/%d/pulse/native`)
|
|
|
|
|
pulseSocket := path.Join(pulseRuntimeDir, "native")
|
|
|
|
|
|
|
|
|
|
if _, err := sys.Stat(pulseRuntimeDir); err != nil {
|
|
|
|
|
if !errors.Is(err, fs.ErrNotExist) {
|
|
|
|
|
return fmsg.WrapErrorSuffix(err,
|
|
|
|
|
fmt.Sprintf("cannot access PulseAudio directory %q:", pulseRuntimeDir))
|
|
|
|
|
}
|
|
|
|
|
return fmsg.WrapError(ErrPulseSocket,
|
|
|
|
|
fmt.Sprintf("PulseAudio directory %q not found", pulseRuntimeDir))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if s, err := sys.Stat(pulseSocket); err != nil {
|
|
|
|
|
if !errors.Is(err, fs.ErrNotExist) {
|
|
|
|
|
return fmsg.WrapErrorSuffix(err,
|
|
|
|
|
fmt.Sprintf("cannot access PulseAudio socket %q:", pulseSocket))
|
|
|
|
|
}
|
|
|
|
|
return fmsg.WrapError(ErrPulseSocket,
|
|
|
|
|
fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pulseRuntimeDir))
|
|
|
|
|
} else {
|
|
|
|
|
if m := s.Mode(); m&0o006 != 0o006 {
|
|
|
|
|
return fmsg.WrapError(ErrPulseMode,
|
|
|
|
|
fmt.Sprintf("unexpected permissions on %q:", pulseSocket), m)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// hard link pulse socket into target-executable share
|
|
|
|
|
innerPulseRuntimeDir := path.Join(sharePathLocal, "pulse")
|
|
|
|
|
innerPulseSocket := path.Join(innerRuntimeDir, "pulse", "native")
|
|
|
|
|
seal.sys.Link(pulseSocket, innerPulseRuntimeDir)
|
|
|
|
|
seal.container.Bind(innerPulseRuntimeDir, innerPulseSocket)
|
|
|
|
|
seal.container.SetEnv[pulseServer] = "unix:" + innerPulseSocket
|
|
|
|
|
|
|
|
|
|
// publish current user's pulse cookie for target user
|
|
|
|
|
if src, err := discoverPulseCookie(sys); err != nil {
|
|
|
|
|
// not fatal
|
|
|
|
|
fmsg.Verbose(strings.TrimSpace(err.(*fmsg.BaseError).Message()))
|
|
|
|
|
} else {
|
|
|
|
|
innerDst := fst.Tmp + "/pulse-cookie"
|
|
|
|
|
seal.container.SetEnv[pulseCookie] = innerDst
|
|
|
|
|
payload := new([]byte)
|
|
|
|
|
seal.container.CopyBindRef(innerDst, &payload)
|
|
|
|
|
seal.sys.CopyFile(payload, src, 256, 256)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
D-Bus proxy
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
if config.Confinement.Enablements.Has(system.EDBus) {
|
|
|
|
|
// ensure dbus session bus defaults
|
|
|
|
|
if config.Confinement.SessionBus == nil {
|
|
|
|
|
config.Confinement.SessionBus = dbus.NewConfig(config.ID, true, true)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// downstream socket paths
|
|
|
|
|
sessionPath, systemPath := path.Join(sharePath, "bus"), path.Join(sharePath, "system_bus_socket")
|
|
|
|
|
|
|
|
|
|
// configure dbus proxy
|
|
|
|
|
if f, err := seal.sys.ProxyDBus(
|
|
|
|
|
config.Confinement.SessionBus, config.Confinement.SystemBus,
|
|
|
|
|
sessionPath, systemPath,
|
|
|
|
|
); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
} else {
|
|
|
|
|
seal.dbusMsg = f
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// share proxy sockets
|
|
|
|
|
sessionInner := path.Join(innerRuntimeDir, "bus")
|
|
|
|
|
seal.container.SetEnv[dbusSessionBusAddress] = "unix:path=" + sessionInner
|
|
|
|
|
seal.container.Bind(sessionPath, sessionInner)
|
|
|
|
|
seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
|
|
|
|
|
if config.Confinement.SystemBus != nil {
|
|
|
|
|
systemInner := "/run/dbus/system_bus_socket"
|
|
|
|
|
seal.container.SetEnv[dbusSystemBusAddress] = "unix:path=" + systemInner
|
|
|
|
|
seal.container.Bind(systemPath, systemInner)
|
|
|
|
|
seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Miscellaneous
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
// queue overriding tmpfs at the end of seal.container.Filesystem
|
|
|
|
|
for _, dest := range config.Confinement.Sandbox.Override {
|
|
|
|
|
seal.container.Tmpfs(dest, 8*1024)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// append ExtraPerms last
|
|
|
|
|
for _, p := range config.Confinement.ExtraPerms {
|
|
|
|
|
if p == nil {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if p.Ensure {
|
|
|
|
|
seal.sys.Ensure(p.Path, 0700)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
perms := make(acl.Perms, 0, 3)
|
|
|
|
|
if p.Read {
|
|
|
|
|
perms = append(perms, acl.Read)
|
|
|
|
|
}
|
|
|
|
|
if p.Write {
|
|
|
|
|
perms = append(perms, acl.Write)
|
|
|
|
|
}
|
|
|
|
|
if p.Execute {
|
|
|
|
|
perms = append(perms, acl.Execute)
|
|
|
|
|
}
|
|
|
|
|
seal.sys.UpdatePermType(system.User, p.Path, perms...)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// mount fortify in sandbox for init
|
|
|
|
|
seal.container.Bind(sys.MustExecutable(), path.Join(fst.Tmp, "sbin/fortify"))
|
|
|
|
|
seal.container.Symlink("fortify", path.Join(fst.Tmp, "sbin/init"))
|
|
|
|
|
|
2025-02-16 17:26:09 +09:00
|
|
|
fmsg.Verbosef("created application seal for uid %s (%s) groups: %v, command: %s",
|
2025-02-19 01:36:07 +09:00
|
|
|
seal.user.uid, seal.user.username, config.Confinement.Groups, config.Command)
|
2024-09-22 00:29:36 +09:00
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2025-02-19 13:41:06 +09:00
|
|
|
|
|
|
|
|
// discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
|
|
|
|
|
func discoverPulseCookie(sys sys.State) (string, error) {
|
|
|
|
|
if p, ok := sys.LookupEnv(pulseCookie); ok {
|
|
|
|
|
return p, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// dotfile $HOME/.pulse-cookie
|
|
|
|
|
if p, ok := sys.LookupEnv(home); ok {
|
|
|
|
|
p = path.Join(p, ".pulse-cookie")
|
|
|
|
|
if s, err := sys.Stat(p); err != nil {
|
|
|
|
|
if !errors.Is(err, fs.ErrNotExist) {
|
|
|
|
|
return p, fmsg.WrapErrorSuffix(err,
|
|
|
|
|
fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
|
|
|
|
|
}
|
|
|
|
|
// not found, try next method
|
|
|
|
|
} else if !s.IsDir() {
|
|
|
|
|
return p, nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// $XDG_CONFIG_HOME/pulse/cookie
|
|
|
|
|
if p, ok := sys.LookupEnv(xdgConfigHome); ok {
|
|
|
|
|
p = path.Join(p, "pulse", "cookie")
|
|
|
|
|
if s, err := sys.Stat(p); err != nil {
|
|
|
|
|
if !errors.Is(err, fs.ErrNotExist) {
|
|
|
|
|
return p, fmsg.WrapErrorSuffix(err,
|
|
|
|
|
fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
|
|
|
|
|
}
|
|
|
|
|
// not found, try next method
|
|
|
|
|
} else if !s.IsDir() {
|
|
|
|
|
return p, nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return "", fmsg.WrapError(ErrPulseCookie,
|
|
|
|
|
fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
|
|
|
|
|
pulseCookie, xdgConfigHome, home))
|
|
|
|
|
}
|
